Notepad is displayed every StartUp of WIN 98SE

Thought I'd post this for those who aren't comfortable editing the registry. Another way to get rid of it. Open windows explorer, click tools >folder options>file types. Scroll through the file types until you find readme and delete it.

 

One way or the other, please don't "just delete it ".

It is extremely important to see what these registry entries look like.

If these keys are set up in such a way that Notepad could start, it also mean that a trojan/virus/worm can use the same "trick ". And since StartupList doesn't log it, it means it is not one of the standard hiding places for these things.

If we can discover how it starts, we can have programs like Startuplist modified to start looking for it!

 

I can only suggest one place to look, one that didn't show up in StartupList. At this key in the registry {HKCU}.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Just a thought.

 

The default Startuplist only lists entries if there is actually something there, or if it is not a Windows default (like Explorer being in more places than \Windows).
That's why I believe we either have a new "loophole ", or a bug in Startuplist.

 

Mystery of Notepad RESOLVED...!

So finally - a victory over the stubborn Notepad: no more Notepad after the WIN Startup...!
... and - the winners are:

mflynn & goddez1 & WhitPhil
(who were the closest in identifying the bad culprit)

...and the winners are also ALL of those who helped me to resolve this 'crazy problem' - MANY THANKS, guys...!

And the 'crazy problem' was caused by the following:

- as I promised to you yesterday I would disable the NZDD.DLL (you're right it belongs to 'RealNetworks', possibly to RealDownload) BUT the main thing - it did NOT help

- I then run the StartUp.Log which provides a nice summary of all programs at StartUp and - mainly showed again the C:\Program path BUT the path was split to 2 lines so although it looked originally (in the Startup List report) like only C:\Program path, the StartUp.Log report lists 2 lines as follows:

"PowerQuest Startup Utility "= "C:\\Program --->
Files\\PowerQuest\\PartitionMagic4\\UTILITY\\--->
MMOVER32\\PQINIT.EXE "
---> now, although I know this 'PartitionMagic' path very well, I still have no idea how in the other report (I think it was in the Startup List report) it got displayed as only C:\Program - which would indicate a filename(?!?). Anyway...

- ...I therefore searched further for the mysterious filename 'Program' in the path 'C:\Program', and: I found it in C:\ and it surely must have been 'somehow' created during my use of 'PartitionMagic'. Well - when I opened this file (which was defined by WinExplorer as 'Readme' type of file), it was EMPTY - NOTHING there! So I immediately deleted, reboot and ...VOILA - no more Notepad after the WIN StartUp...!

This is really crazy case but - isn't it sometimes true that we are looking for all kinds of highly complex and tricky causes of such problems and then - we are (ONLY SOMETIMES!) fooled by an ordinary and empty 'Readme' file 'stuck' in a wrong path?!?

Anyway - I'm glad the mystery is solved and I again THANK TO ALL who had the patience to keep trying in helping me resolve this 'weird' problem!

[PS to WhitPhil: Please let me know if you are interested in getting my copy of the StartUp.Log: I understand you were involved in the development of this great Utility, and I wouldn't mine at all to send you a copy of the 7-page long report - which I probably should send you through a private mail (?!?) so that I don't plug with it the BBS. Please just let me know...! Also, can you tell me how to stop showing the 'StubPath.txt' on my Desktop?
Thanks!]

Again guys - MANY THANKS for a great 'trouble-shooting' session through Internet which went very well and was very rewarding. 'Windows BBS' is really a great, great BBS...!
...Tony H.

 

Yahoo,
Your most welcome. This was a great group effort by all envolved and fun to boot.

So the mystery is solved. I'm so glad. Kind of bittersweet as it made checking into the board these last few days quite an anticipation.

Oppps,
I wish I had only a thimble full of the expertise and knowledge it takes to write/produce software. WhitPhil is the member involved in the development of the wonderful Tool, "Startuplist ". It is used quite frequently on the board and has helped a great many members in a variety of ways. Thank you WhitPhil.

Thanks for hanging in there and not giving up. So many have thrown down the white flag with this kind of nuisance and re-installed. While it does take care of the problem it doesn't do much for curiosity in the original problem.

 

Thanks for your great help, Ann...!

Thanks again, Ann!

I'm sorry I actually gave the credit for the development of the great 'StartUp.Log' to you instead of WhitPhil but - I've just edited my original message so now it should be all corrected! I'm new to this very helpful 'Windows BBS' and just now I've learned that you can print out the whole trouble-shooting session as 1 page which is great for keeping updated about individual responses, and this greatly helps in avoiding to get mixed up in regard to giving the deserved credit to the right person...

Anyway, it was great collaboration among many members of this BBS, and in spite of getting a 'good share' of frustration, I don't regret the time spent: I have a science background (Chemistry) and used to be a Programmer so I like a METHODICAL approach in problems solving. What I really strongly dislike in the area of Computer technology is often very irresponsible approach by Software developers in terms of making unwanted changes of some critical (and shabby) System files (and Drivers) with which they replace the original Windows Systen files, and 'this mess' in my opinion causes most of WIN crushes to the end-users. I think we should all get together and form some kind of 'National Coalition of Software Users' and fight for some rules and a better organized system to prevent such messy practices...!

Anyway - perhaps this could be one of our future topics for a discussion...!

...Tony

 

Great Thorsak

I agree with Ann to many people jump on a rinstall too quickly.

1. they don't learn anything
2. so don't know how to handle it next time either

When you do it like you did you always come to a greater understanding of the OS than what it took to just correct the problem.

Course I'm a problem solver, it is a challenge to me!

Mike

 

Well, I am very gald to read that the porblem is solved. The only re-install that would have fixed that would be format and start over. An overtop more than likely would not have fixed it.

For comparison only.

PowerQuest Startup Utility = C:\Program
Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE


Note;

If this shows anything else the end of first line is after C:\program. The rest is all on the 2nd line.

The above is a copy/paste from Startuplist which I ran just now cause I recognized the PQINIT.EXE.

It shows in the

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Section of Startuplist ( copy.paste also )

The only difference that I see ( outside of version # ) may be the way Startuplist displayed it.

BillyBob

 

thorsak:

Congrats on finding the problem, but I think you are pointing at the wrong culprit, PartitionMagic.

You indicated that the StartUplog you ran, showed

"PowerQuest Startup Utility "= "C:\\Program --->
Files\\PowerQuest\\PartitionMagic4\\UTILITY\\--->
MMOVER32\\PQINIT.EXE "

But the StartupList you ran showed the identical thing,

PowerQuest Startup Utility = C:\Program
Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE

The NotePad problem was definitely due to the fact that you had a folder (file??) called PROGRAM in the root directory. This is one of those strange-oh things that will cause EXPLORER to start at boot time.

In this case, this folder/file was somehow related to a README file type (this is not to be confused with the traditional README.txt things. This is a Filetype like EXEFILE, which is linked for the extension .EXE in the registry).

BTW You can use Startuplist to get the same comphrehensive output. Just run it with the /Verbose or /Complete option.
StubPath is one of those byproducts that is seldom used, but is needed to be produced, just in case that is where the trojan was starting from.

***I would still like you to go into the HKCR key and to the find that I suggested in my last post, and then copy the contents of the keys back here.


Ann: As a FYI, to clarify the Startup* programs.

The one called StartupList is the latest, and is written in a highlevel language by Merijn Bellekom

StartupLog is written by Rmbox and started on the VirtualDr board as a trojan troubleshooter. It is written using DOS based constructs and thus is restricted in the analysis it can do, and also the platforms it can run on. (this is the one I was involved with)

But now, with the additional analysis capabilities, I am recommending StartupList.

 

'Postwar' action...

Hi WhitPhil:
I agree the bad culprit was the 'Program' name I found in C:\ and it was definitely a FILE not a folder: the WIN-Explorer under 'Properties' described it as a 'Readme type of file' (whatever that means) and that was 'the end of the story' (no further info given). And as I already mentioned when I then clicked on it - it opened in Notepad, and it was empty - strange!

I just think that the PartitionMagic 'somehow' created this 'Readme' file (I used it after the WIN 98SE installation), and I'm interested to know what is the function of such 'Readme' file/s and how was it created because quite frankly it was an unpleasant surprise for me to find a file in my PC with such a 'risky' filename - I never name files using general comp. terminology like that!

Furthermore, it's too bad that none of the WIN & other Disk-cleaning Utilities ever questioned such an EMPTY file for its integrity. I think that's probably because all of these Utilities are mainly focusing on the extensions of the files and process them accordingly. Is there any 'CleanUp' Utility which would also question/report EMPTY files and ask the user if they can be deleted? As we all know (e.g. after this trouble-shooting session), such an Utility would save the end-users a lot of time in detecting such a crazy (and unnecessary) nightmare...!

Anyway, I'm still going to check the HKCR key - perhaps you will be then able to help me understand how this 'trouble' Readme-file was created because I sure like to avoid such a weird thing from happening in the future...

THANKS and - I'll be in touch!
...Tony

 

just think that the PartitionMagic

I would not say PM in general. As the the key ( or what ever ) points to Magic Mover ( MMOVER32/PQINIT.EXE ) which is not actaually part of Partition Magic per se. It is a separate program. ( utility )

MM is included with but not actually part of PM

I have PQINIT.EXE showing up in Startup COP. And MM will not work poperly if it is not there.

I would be willing entertain a wild guess that at sometime or other there may have been a hiccup during the use of Magic Mover and it did not complete properly.

BillyBob

 

Here is the copy of the Registry keys...

Hi WhitPhil:
Here are the exported keys:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01]
@= "Readme "
"EditFlags "=hex:00,00,00,00
"AlwaysShowExt "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell]
@=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell\Open]
"EditFlags "=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell\Open\command]
@= "C:\\WINDOWS\\Notepad.exe %1 "

These are the keys from first 'Find' run.
__________________

Just in case, I'm also including SOME additional keys which poped up while pressing the F3-key for next entries: they are similar to README name but already with some extentions like "Readme.gil" & "ReadMe.pdf" (probably not that important!?!):

(1)
REGEDIT4

[HKEY_CLASSES_ROOT\gilfile]
@= "Readme.gil "
"EditFlags "=hex:00,00,00,00

[HKEY_CLASSES_ROOT\gilfile\Shell]
@=" "

[HKEY_CLASSES_ROOT\gilfile\Shell\open]
"EditFlags "=hex:01,00,00,00

[HKEY_CLASSES_ROOT\gilfile\Shell\open\command]
@= "C:\\WINDOWS\\Notepad.exe %1 "

____________________

(2)

REGEDIT4

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\4.0\AdobeViewer]
"NoteLabel "= "USERUSERUSERUSERUSERUSERUSERUSE "
"NotePointSize "=dword:0000000c
"avpRecentFile1 "= "C:\\Program Files\\Adobe\\Acrobat 4.0\\Reader\\ReadMe.pdf "
"NoteLabelEncoding "= "0 "
"PaletteMin0 "=dword:00000000
"PaletteVis0 "=dword:00000000
"PaletteEntries0 "= "*Articles "
"PaletteLeft0 "=dword:00000190
"PaletteRight0 "=dword:0000026c
"PaletteTop0 "=dword:00000032
"PaletteBottom0 "=dword:0000010e
"NumPalettes "= "1 "
"InDocPanels "= "*Bookmarks,Thumbnails "
"DefaultZoomScale "= "100 "
"avpRecentFile2 "= "C:\\PROGRAM FILES\\ADOBE\\ACROBAT
4.0\\Help\\ENU\\Reader.pdf "
"avpRecentFile3 "= "C:\\1. Conversion\\CROWN_MicConnections.pdf "
"DialogX0 "=dword:0000002c
"DialogY0 "=dword:0000002c
"DialogW0 "=dword:000001e0
"DialogH0 "=dword:00000141
"DialogX1 "=dword:ffff8000
"DialogY1 "=dword:ffff8000
"DialogW1 "=dword:ffff8000
"DialogH1 "=dword:ffff8000
"DialogX2 "=dword:0000008c
"DialogY2 "=dword:0000009f
"DialogW2 "=dword:00000168
"DialogH2 "=dword:00000086
"DialogX3 "=dword:ffff8000
"DialogY3 "=dword:ffff8000
"DialogW3 "=dword:ffff8000
"DialogH3 "=dword:ffff8000
"DialogX4 "=dword:ffff8000
"DialogY4 "=dword:ffff8000
"DialogW4 "=dword:ffff8000
"DialogH4 "=dword:ffff8000
"DialogX5 "=dword:ffff8000
"DialogY5 "=dword:ffff8000
"DialogW5 "=dword:ffff8000
"DialogH5 "=dword:ffff8000
"xRes "=dword:00000280
"yRes "=dword:000001e0
"avpRecentFile4 "= "C:\\1. Conversion\\CROWN_MicSpec.pdf "
"NoteFontName "= "Courier "
"Chameleons "=dword:00000001

==================================
So that's what I've got from the HKEY_Classes_Root.
Please let me know if you would need more info from Regedit.

Thanks!

 

Neat stuff!!

I need you to do one more FIND for me.

Again, starting in HKCR, but this time for FILE01

Thanks

 

Hi Guys,
I'm new on the block and this is my first post, so take it easy on me, OK?

I got a couple of specific things to check - might help...
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices

also, you might have a winstart.bat (usually in theWINDOWS folder) which has been known to cause grief of the sort under examination.

Dave

 

I SAID I was new....
I posted the above reply after seeing only the first page of the thread. Then I was taken to page 4....
So sorry.

 

Copy of HKCR - FILE01 key...

Hi WhitPhil:

Here is the copy of the FILE01 key from the HKCR (I assumed you're referring to the HKEY_Classes_Root?):

REGEDIT4

[HKEY_CLASSES_ROOT\.]
@= "file01 "
"Content Type "= "text/plain "

Although I don't have the full understanding of this key I suspect it refers to a text-file type?!? Please explain further.
BTW WhitPhil: what VERSION of the 'Process Viewer' are you using, and does YOUR Version have the 'Properties' Option in the pop-up Menu when you highligt and right-click the filename? I'm trying to find out WHY I could not find the 'Properties' Option in the pop-up Menu after I run it after the Notepad automatically opened after each WIN-StartUp earlier in this trouble-shooting session. My Version of the Process Viewer is: 2.1.0.1.

THANKS!

[PS: kobra
- thanks for your response!]

[PS: BillyBob
- You're right, the reference there was to the Magic Mover (MMOVER32/PQINIT.EXE) as a separate part of the PartitionMagic, and - I DID use it at around the time while having this Notepad problem...! BTW the 'Magic Mover' is an excellent Utility for MOVING Program folders WITH ShortCuts to other locations, and so far I found it flawless in doing the moving CORRECTLY to avoid error messages after moving the ShortCuts to different location/s - do NOT recommend moving folders by a simple 'dragging' process!]

Thanks.

 

thorsak:

Thanks for the REGs.

Now, here is the explanation. I don't know what created the REG entries or what created the PROGRAM file but here is why Notepad is opening.

If anyone wants to try this, copy/paste the following into a REG file and add it to your registry. And create a file called Program in the root of c:\, and then boot.

------------------------------------------------------------------------

Code:

REGEDIT4

[HKEY_CLASSES_ROOT\.]
@= "file01 "
 "Content Type "= "text/plain "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01]
@= "Readme "
 "EditFlags "=hex:00,00,00,00
 "AlwaysShowExt "=" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell]
@=" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell\Open]
 "EditFlags "=hex:01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file01\Shell\Open\command]
@= "C:\\WINDOWS\\Notepad.exe %1 "

[/b]

--------------------------------------------------------------------------------
(ensure that the last blank line is there! Also, ensure that each of the [HKEY.... lines is entirely on one line, and not wrapped like they are above. And get rid of the blank line in front of @= "', which, for some reason, I can't make go away!!)

What this is doing, is making any file will no extension (such as PROGRAM), to be of type "Readme ", and opening it, will open it in Notepad.

The sideaffect that is happening, is that when Windows is trying to start a program from a RUN key, that is of the form, "C:\Program Files\....... ", instead of chasing down the "real" directory "Program Files" and finding the program that is to start, it finds the file "Program" instead, and starts it.

When I tried this originally, I had a couple of NotePads start, because I had a couple of RUN entries that contained "Program Files ". When I changed these to "Progra~1" the NotePads stopped opening.

thorsak:

Go into REGEDIT and delete the key
HKEY_CLASSES_ROOT\.

(*****note it is just the one with the period!!)

and also delete

HKEY_CLASSES_ROOT\file01

(select the ". ", right mouse, delete. Select File01, right mouse, delete)

Also note that it was Ann running Process View, not me.

 

'Mystery of Notepad' explained...

Many thanks WhitPhil for the concise explanation...!

I feel you're absolutely CORRECT! I was also (and always) getting a COUPLE of NotePad started... I surely dislike the flaw in Windows which is, as you stated, while it's trying to start a program from a RUN key that is of the form "C:\Program Files\....... ", instead of chasing down the "real" directory "Program Files" and finding the program that is to start, Windows is trying to start a program from a RUN key, that is of the form, "C:\Program...! I feel this is a bad flaw and it should have been fixed by Microsoft...

In reference to my question re the Process Viewer Version: I know that it was Ann who suggested to me to run it, I just thought you are also using this Utility OR: do you feel it has some shortcomings?

Finally re my other question to you: do you know about any reliable Utility which (e.g. during Disk CleanUp) checks and questions the integrity of such empty (and useless) non-temporary files?

Many thanks!

 

No, I don't run Process Viewer. If I need to look deeper, I use TaskInfo.

As for the "useless" files, a utility may exist that will find empty files, BUT, it is you the user, that has to know that they are useless. This is not something that a utility can be programmed for. And, if it says it does, it is wrong.

For example, a running program may create a LOG file that is used to log (note) any detected errors. Obviously, if none are detected the file will be empty. If the file is deleted, this same program may fail, since it expects the file to always be there, empty or not.

Empty files are really not causing any problems (unless they are called PROGRAM and live in c:\ ). They take up minimal disk space, and will cause you more time and effort to figure out their use, then is warranted.